7-8 Securing Oracle WebLogic Server The following example shows how you might edit an existing Asserting Party. The example gets the Asserting Party, using its Asserting Party ID, and sets the Assertion Retrieval URL. Example 7–2 Editing an Asserting Party with WLST connectweblogic,weblogic,t3:localhost:7001 rlm=cmo.getSecurityConfiguration.getDefaultRealm ia=rlm.lookupAuthenticationProvidersamlv2ia ap=ia.getAssertingPartyap_00002 ap.setAssertionRetrievalURLhttps:hostname:7002samlarsars ia.updateAssertingPartyap disconnect exit

7.3 Configuring SAML 2.0 Services

This topic includes the following sections: ■ Section 7.3.1, Configuring SAML 2.0 Services: Main Steps ■ Section 7.3.2, Configuring SAML 2.0 General Services ■ Section 7.3.3, Configuring an Identity Provider Site for SAML 2.0 Single Sign-On ■ Section 7.3.4, Configuring a Service Provider Site for SAML 2.0 Single Sign-On ■ Section 7.3.5, Viewing Partner Site, Certificate, and Service Endpoint Information ■ Section 7.3.6, Web Application Deployment Considerations for SAML 2.0

7.3.1 Configuring SAML 2.0 Services: Main Steps

A summary of the main steps you take to configure SAML 2.0 services is as follows: 1. Determine whether you plan to have SAML 2.0 services running in more than one WebLogic Server instance in the domain. If so, do the following: a. Create a domain in which the RDBMS security store is configured. The RDBMS security store is required by the SAML 2.0 security providers so that the data they manage can be synchronized across all the WebLogic Server instances that share that data. Note that Oracle does not recommend upgrading an existing domain in place to use the RDBMS security store. If you want to use the RDBMS security store, you should configure the RDBMS security store at the time of domain creation. If you have an existing domain with which you want to use the RDBMS security store, create the new domain and migrate your existing security realm to it. For information, see Chapter 10, Managing the RDBMS Security Store. b. Ensure that all SAML 2.0 services are configured identically in each WebLogic Server instance. If you are configuring SAML 2.0 services in a cluster, each Managed Server in that cluster must be configured individually. c. Note the considerations described in Section 7.3.6, Web Application Deployment Considerations for SAML 2.0. 2. If you are configuring a SAML 2.0 Identity Provider site: Configuring Single Sign-On with Web Browsers and HTTP Clients 7-9 a. Create and configure an instance of the SAML 2.0 Credential Mapping provider in the security realm. b. Configure the SAML 2.0 general services identically and individually in each WebLogic Server instance in the domain that will run SAML 2.0 services. c. Configure the SAML 2.0 Identity Provider services identically and individually in each WebLogic Server instance in the domain that will run SAML 2.0 services. d. Publish the metadata file describing your site, and manually distribute it to your Service Provider partners. e. Create and configure your Service Provider partners. 3. If you are configuring a SAML 2.0 Service Provider site: a. Create and configure an instance of the SAML 2.0 Identity Assertion provider in the security realm. If you are allowing virtual users to log in via SAML, you need to create and configure an instance of the SAML Authentication provider. For information, see Section 5.7, Configuring the SAML Authentication Provider. b. Configure the SAML 2.0 general services identically and individually in each WebLogic Server instance in the domain that will run SAML 2.0 services. c. Configure the SAML 2.0 Service Provider services identically and individually in each WebLogic Server instance in the domain that will run SAML 2.0 services. d. Publish the metadata file describing your site, and manually distribute it to your Identity Provider partners. e. Create and configure your Identity Provider partners. The sections that follow provide details about each set of main steps.

7.3.2 Configuring SAML 2.0 General Services